New Login Process

Update: the switch to the new VATSIM Single Sign On service has now taken place.

In the next couple of nights I will be rolling out an update to the VATNZ website which replaces the existing login process with the new VATSIM Single Sign On service.

The VATSIM SSO service allows trusted websites (such as divisional/regional sites, etc) to allow their users to log in with their VATSIM ID and Password without that website ever having access to the user's passwords. This works similarly to other services offered by companies like Google, Facebook, and Twitter that let you sign into third party sites using your favourite social media account details, except that instead of your Twitter handle, you're using the same username and password that you use to fly or control on the VATSIM network.

The current method for signing into a website with your VATSIM Account Details is less secure in that the website prompts you for your ID and password and then sends them both to VATSIM and says "are these valid login details?". A correctly written website such as VATNZ never stores the user's VATSIM Account Details - it just forwards them on to VATSIM - however there is no way for a user to know for a fact that that is the case; a less well written website could just as easily store a copy of each user's VATSIM Account Details in its database, for example!

So what will the new process look like?

The new sign in process is split into three screens:

VATNZ Website Sign In Screen

The existing sign in screen will be replaced with a new one explaining the new SSO process. Clicking the button at the bottom of this screen begins the login process. The screen also contains a 'Remember Me' checkbox which, when checked, tells the VATNZ site to remember once you've successfully logged in and not to prompt you again. If this checkbox is left unchecked, you will have be logged out when you close the browser.


VATNZ/News/New Login Process/SSO Sign In Screen/1140


VATSIM Login Screen

The next screen you will be taken to is the VATSIM SSO Login Screen. In the centre you are asked to enter your VATSIM ID and Password. Note: this screen is hosted on VATSIM's servers, not VATNZ's, and so your login information is no longer going to the VATNZ server at all. At the bottom of the screen is a summary of the site that is requesting that you log in - in this case, it's VATNZ - and a list of the account information that will be shared with the site. Again, you can see that VATSIM will not be sharing your password with us.



VATNZ/News/New Login Process/SSO VATSIM Login/1140


VATSIM External Login Screen

Once you've successfully logged in with your VATSIM Account Details, the VATSIM External Login Screen is displayed. This screen asks you to confirm that you're willing to share your information with the VATNZ website. The two buttons in the top section allow you to cancel the login process. The button at the bottom confirms to VATSIM that they can complete the login process and inform the VATNZ website who you are. The 'Remember this site' checkbox allows you to tell VATSIM that they have your permission to share your details with VATNZ on future occasions. If you check this then the next time you log in using this process, you'll skip this screen; otherwise you have to explicitly give VATSIM the go ahead to tell VATNZ who you are every time you log in.


VATNZ/News/New Login Process/SSO VATSIM External Login/1140


Don't worry, it seems more complicated than it actually is, and it is ultimately bringing more security to your VATSIM Account Details while allowing approved sites to log you in without requiring that you create and remember yet another username and password.

So how will this affect me?

When this change goes live, you will continue to log into the site the same way as before - by clicking on the Sign In link in the top-right corner of the site. You'll then progress through the three new screens above. After that, you'll be returned to the VATNZ site, fully logged in.

The only other effect you may notice is that when the change goes live, everyone's user sessions will be reset, meaning that even if you'd previously told the website to remember your login, you will be required to log in again via the new process the next time you visit the site.


I've also posted this in the Forums. I'll update this item, and the forum post after the new process goes live. If you have any questions, please feel free to email me or to post them in the forum.